DNS
For privacy reasons, we provide two DNS-Over-TLS resolvers. These are only accessible over port 853
. We have no plans to provide DNS over port 53
(plaintext) or port 443
(https).
- Completely Uncensored
- No logging
- QNAME Minimisation
- DNSSEC
DNS-Over-TLS Clients
We suggest using either Unbound or Stubby.
Unbound has been independently audited. It is also fast and pretty straightforward to setup.
Unbound Configuration
server:
tls-cert-bundle: /etc/ssl/certs/ca-certificates.crt
rrset-roundrobin: yes
forward-zone:
name: ".",
forward-tls-upstream: yes
forward-addr: 104.244.72.77@853#dns1.nuked.me
Stubby Configuration
dnssec_return_status: GETDNS_EXTENSION_TRUE
resolution_type: GETDNS_RESOLUTION_STUB
dns_transport_list:
- GETDNS_TRANSPORT_TLS
tls_authentication: GETDNS_AUTHENTICATION_REQUIRED
tls_query_padding_blocksize: 256
edns_client_subnet_private : 1
idle_timeout: 10000
listen_addresses:
- 127.0.0.1
- 0::1
round_robin_upstreams: 1
upstream_recursive_servers:
- address_data: 104.244.72.77
tls_port: 853
tls_auth_name: "dns1.nuked.me"
Notes
Depending on how you handle DNS currently, you may need to make other changes.
If you use a static /etc/resolv.conf
then you just need to edit the nameserver to point locally, then Unbound handles the rest.
If you use systemd-resolved
, you'll need to do the following:
nano /etc/systemd/resolved.conf
Uncomment and edit the first line to this: DNS=127.0.0.1
Then restart systemd-resolved
with:
sudo service systemd-resolved restart
To check it's set correctly, run resolvectl dns
and that's it!
Regarding Windows, further information at privacytools.io.